* ext/openssl/ossl.h: Introduced OSSL_BIO_reset macro for PEM/DER

fallback scenarios. * ext/openssl/ossl_pkey_dsa.c * ext/openssl/ossl_x509req.c * ext/openssl/ossl_pkey_rsa.c * ext/openssl/ossl_pkey_ec.c * ext/openssl/ossl_ssl_session.c * ext/openssl/ossl_x509crl.c * ext/openssl/ossl_pkey.c * ext/openssl/ossl_pkey_dh.c * ext/openssl/ossl_x509cert.c * ext/openssl/ossl_pkcs7.c: Use OSSL_BIO_reset. * ext/openssl/ossl_ssl.c * ext/openssl/ossl_cipher.c * ext/openssl/ossl_pkey_ec.c * ext/openssl/ossl_pkcs12.c * ext/openssl/ossl_ssl_session.c: Replace rb_raise occurences by ossl_raise. This automatically flushes OpenSSL's error queue. * ext/openssl/ossl_pkcs7.c: Raise error if DER fallback for parsing fails. * test/openssl/test_pkey_ec.rb * test/openssl/test_pkey_dsa.rb * test/openssl/test_pkey_rsa.rb: Add assertions that OpenSSL.errors is empty. * test/openssl/test_pkey_rsa.rb: Remove initial OpenSSL.errors call in test_new. [ Ruby 1.9 - Bug #4885 ] [ruby-core:37134] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32199 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2011-06-22 08:41:08 +00:00 · 2011-06-22 08:41:08 +00:00 · 26cb830df9
commit 26cb830df9
parent 41c517d132
18 changed files with 121 additions and 70 deletions
--- a/35
+++ b/35
@ -1,3 +1,38 @@
+Wed Jun 22 17:37:49 2011  Martin Bosslet  <Martin.Bosslet@googlemail.com>
+
+	* ext/openssl/ossl.h: Introduced OSSL_BIO_reset macro for PEM/DER
+	  fallback scenarios.
+	
+	* ext/openssl/ossl_pkey_dsa.c
+	* ext/openssl/ossl_x509req.c
+	* ext/openssl/ossl_pkey_rsa.c
+	* ext/openssl/ossl_pkey_ec.c
+	* ext/openssl/ossl_ssl_session.c
+	* ext/openssl/ossl_x509crl.c
+	* ext/openssl/ossl_pkey.c
+	* ext/openssl/ossl_pkey_dh.c
+	* ext/openssl/ossl_x509cert.c
+	* ext/openssl/ossl_pkcs7.c: Use OSSL_BIO_reset.
+
+	* ext/openssl/ossl_ssl.c
+	* ext/openssl/ossl_cipher.c
+	* ext/openssl/ossl_pkey_ec.c
+	* ext/openssl/ossl_pkcs12.c
+	* ext/openssl/ossl_ssl_session.c: Replace rb_raise occurences by
+	  ossl_raise. This automatically flushes OpenSSL's error queue.
+
+	* ext/openssl/ossl_pkcs7.c: Raise error if DER fallback for parsing
+	  fails.
+
+	* test/openssl/test_pkey_ec.rb
+	* test/openssl/test_pkey_dsa.rb
+	* test/openssl/test_pkey_rsa.rb: Add assertions that OpenSSL.errors is
+	  empty.
+
+	* test/openssl/test_pkey_rsa.rb: Remove initial OpenSSL.errors call in
+	  test_new.
+	  [ Ruby 1.9 - Bug #4885 ] [ruby-core:37134]
+
 Wed Jun 22 15:01:24 2011  Martin Bosslet  <Martin.Bosslet@googlemail.com>

 	* ext/openssl/ossl_ssl.c: Use SSL_MODE_RELEASE_BUFFERS if available.
--- a/ext/openssl/ossl.h
+++ b/ext/openssl/ossl.h
@ -137,6 +137,13 @@ do{\
 */
 int ossl_pem_passwd_cb(char *, int, int, void *);

+/*
+ * Clear BIO* with this in PEM/DER fallback scenarios to avoid decoding
+ * errors piling up in OpenSSL::Errors
+ */
+#define OSSL_BIO_reset(bio)	(void)BIO_reset((bio)); \
+				ERR_clear_error();
+
 /*
 * ERRor messages
 */
--- a/ext/openssl/ossl_cipher.c
+++ b/ext/openssl/ossl_cipher.c
@ -293,7 +293,7 @@ ossl_cipher_pkcs5_keyivgen(int argc, VALUE *argv, VALUE self)
    if(!NIL_P(vsalt)){
 	StringValue(vsalt);
 	if(RSTRING_LEN(vsalt) != PKCS5_SALT_LEN)
-	    rb_raise(eCipherError, "salt must be an 8-octet string");
+	    ossl_raise(eCipherError, "salt must be an 8-octet string");
 	salt = (unsigned char *)RSTRING_PTR(vsalt);
    }
    iter = NIL_P(viter) ? 2048 : NUM2INT(viter);
@ -331,7 +331,7 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
    StringValue(data);
    in = (unsigned char *)RSTRING_PTR(data);
    if ((in_len = RSTRING_LENINT(data)) == 0)
-        rb_raise(rb_eArgError, "data must not be empty");
+        ossl_raise(rb_eArgError, "data must not be empty");
    GetCipher(self, ctx);
    out_len = in_len+EVP_CIPHER_CTX_block_size(ctx);

--- a/ext/openssl/ossl_pkcs12.c
+++ b/ext/openssl/ossl_pkcs12.c
@ -91,11 +91,11 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self)
 /* TODO: make a VALUE to nid function */
    if (!NIL_P(key_nid)) {
        if ((nkey = OBJ_txt2nid(StringValuePtr(key_nid))) == NID_undef)
-            rb_raise(rb_eArgError, "Unknown PBE algorithm %s", StringValuePtr(key_nid));
+            ossl_raise(rb_eArgError, "Unknown PBE algorithm %s", StringValuePtr(key_nid));
    }
    if (!NIL_P(cert_nid)) {
        if ((ncert = OBJ_txt2nid(StringValuePtr(cert_nid))) == NID_undef)
-            rb_raise(rb_eArgError, "Unknown PBE algorithm %s", StringValuePtr(cert_nid));
+            ossl_raise(rb_eArgError, "Unknown PBE algorithm %s", StringValuePtr(cert_nid));
    }
    if (!NIL_P(key_iter))
        kiter = NUM2INT(key_iter);
--- a/ext/openssl/ossl_pkcs7.c
+++ b/ext/openssl/ossl_pkcs7.c
@ -320,8 +320,10 @@ ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self)
    p7 = PEM_read_bio_PKCS7(in, &pkcs, NULL, NULL);
    DATA_PTR(self) = pkcs;
    if (!p7) {
-	(void)BIO_reset(in);
+	OSSL_BIO_reset(in);
        p7 = d2i_PKCS7_bio(in, &pkcs);
+	if (!p7) 
+	    ossl_raise(rb_eArgError, "Could not parse the PKCS7");
 	DATA_PTR(self) = pkcs;
    }
    BIO_free(in);
--- a/ext/openssl/ossl_pkey.c
+++ b/ext/openssl/ossl_pkey.c
@ -18,9 +18,6 @@ VALUE cPKey;
 VALUE ePKeyError;
 ID id_private_q;

-#define reset_bio(b)		(void)BIO_reset((b)); \
-				(void)ERR_get_error();
-
 /*
 * callback for generating keys
 */
@ -114,14 +111,14 @@ ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self)

     bio = ossl_obj2bio(data);
     if (!(pkey = d2i_PrivateKey_bio(bio, NULL))) {
-	reset_bio(bio);
+	OSSL_BIO_reset(bio);
 	if (!NIL_P(pass)) {
 	    passwd = StringValuePtr(pass);
 	}
 	if (!(pkey = PEM_read_bio_PrivateKey(bio, NULL, ossl_pem_passwd_cb, passwd))) {
-	    reset_bio(bio);
+	    OSSL_BIO_reset(bio);
 	    if (!(pkey = d2i_PUBKEY_bio(bio, NULL))) {
-		reset_bio(bio);
+		OSSL_BIO_reset(bio);
 		if (!NIL_P(pass)) {
 		    passwd = StringValuePtr(pass);
 		}
--- a/ext/openssl/ossl_pkey_dh.c
+++ b/ext/openssl/ossl_pkey_dh.c
@ -180,13 +180,11 @@ ossl_dh_initialize(int argc, VALUE *argv, VALUE self)
 	in = ossl_obj2bio(arg);
 	dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
 	if (!dh){
-	    (void)BIO_reset(in);
-	    (void)ERR_get_error();
+	    OSSL_BIO_reset(in);
 	    dh = d2i_DHparams_bio(in, NULL);
 	}
 	BIO_free(in);
 	if (!dh) {
-	    (void)ERR_get_error();
 	    ossl_raise(eDHError, NULL);
 	}
    }
--- a/ext/openssl/ossl_pkey_dsa.c
+++ b/ext/openssl/ossl_pkey_dsa.c
@ -166,28 +166,24 @@ ossl_dsa_initialize(int argc, VALUE *argv, VALUE self)
 	in = ossl_obj2bio(arg);
 	dsa = PEM_read_bio_DSAPrivateKey(in, NULL, ossl_pem_passwd_cb, passwd);
 	if (!dsa) {
-	    (void)BIO_reset(in);
-	    (void)ERR_get_error();
+	    OSSL_BIO_reset(in);
 	    dsa = PEM_read_bio_DSA_PUBKEY(in, NULL, NULL, NULL);
 	}
 	if (!dsa) {
-	    (void)BIO_reset(in);
-	    (void)ERR_get_error();
+	    OSSL_BIO_reset(in);
 	    dsa = d2i_DSAPrivateKey_bio(in, NULL);
 	}
 	if (!dsa) {
-	    (void)BIO_reset(in);
-	    (void)ERR_get_error();
+	    OSSL_BIO_reset(in);
 	    dsa = d2i_DSA_PUBKEY_bio(in, NULL);
 	}
 	if (!dsa) {
-	    (void)BIO_reset(in);
-	    (void)ERR_get_error();
+	    OSSL_BIO_reset(in);
 	    dsa = PEM_read_bio_DSAPublicKey(in, NULL, NULL, NULL);
 	}
 	BIO_free(in);
 	if (!dsa) {
-	    (void)ERR_get_error();
+	    ERR_clear_error();
 	    ossl_raise(eDSAError, "Neither PUB key nor PRIV key:");
 	}
    }
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@ -42,7 +42,7 @@ typedef struct {
 #define Require_EC_KEY(obj, key) do { \
    Get_EC_KEY((obj), (key)); \
    if ((key) == NULL) \
-        rb_raise(eECError, "EC_KEY is not initialized"); \
+        ossl_raise(eECError, "EC_KEY is not initialized"); \
 } while(0)

 #define SafeRequire_EC_KEY(obj, key) do { \
@ -54,14 +54,14 @@ typedef struct {
    ossl_ec_group *ec_group; \
    Data_Get_Struct((obj), ossl_ec_group, ec_group); \
    if (ec_group == NULL) \
-        rb_raise(eEC_GROUP, "missing ossl_ec_group structure"); \
+        ossl_raise(eEC_GROUP, "missing ossl_ec_group structure"); \
    (g) = ec_group->group; \
 } while(0)

 #define Require_EC_GROUP(obj, group) do { \
    Get_EC_GROUP((obj), (group)); \
    if ((group) == NULL) \
-        rb_raise(eEC_GROUP, "EC_GROUP is not initialized"); \
+        ossl_raise(eEC_GROUP, "EC_GROUP is not initialized"); \
 } while(0)

 #define SafeRequire_EC_GROUP(obj, group) do { \
@ -73,14 +73,14 @@ typedef struct {
    ossl_ec_point *ec_point; \
    Data_Get_Struct((obj), ossl_ec_point, ec_point); \
    if (ec_point == NULL) \
-        rb_raise(eEC_POINT, "missing ossl_ec_point structure"); \
+        ossl_raise(eEC_POINT, "missing ossl_ec_point structure"); \
    (p) = ec_point->point; \
 } while(0)

 #define Require_EC_POINT(obj, point) do { \
    Get_EC_POINT((obj), (point)); \
    if ((point) == NULL) \
-        rb_raise(eEC_POINT, "EC_POINT is not initialized"); \
+        ossl_raise(eEC_POINT, "EC_POINT is not initialized"); \
 } while(0)

 #define SafeRequire_EC_POINT(obj, point) do { \
@ -168,7 +168,7 @@ static VALUE ossl_ec_key_initialize(int argc, VALUE *argv, VALUE self)

    GetPKey(self, pkey);
    if (pkey->pkey.ec)
-        rb_raise(eECError, "EC_KEY already initialized");
+        ossl_raise(eECError, "EC_KEY already initialized");

    rb_scan_args(argc, argv, "02", &arg, &pass);

@ -191,18 +191,15 @@ static VALUE ossl_ec_key_initialize(int argc, VALUE *argv, VALUE self)
 	    }
 	    ec = PEM_read_bio_ECPrivateKey(in, NULL, ossl_pem_passwd_cb, passwd);
            if (!ec) {
-                (void)BIO_reset(in);
-                (void)ERR_get_error();
+		OSSL_BIO_reset(in);
 		ec = PEM_read_bio_EC_PUBKEY(in, NULL, ossl_pem_passwd_cb, passwd);
            }
            if (!ec) {
-                (void)BIO_reset(in);
-                (void)ERR_get_error();
+		OSSL_BIO_reset(in);
                ec = d2i_ECPrivateKey_bio(in, NULL);
            }
            if (!ec) {
-                (void)BIO_reset(in);
-                (void)ERR_get_error();
+		OSSL_BIO_reset(in);
                ec = d2i_EC_PUBKEY_bio(in, NULL);
            }

@ -478,7 +475,7 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
    Require_EC_KEY(self, ec);

    if (EC_KEY_get0_public_key(ec) == NULL)
-        rb_raise(eECError, "can't export - no public key set");
+        ossl_raise(eECError, "can't export - no public key set");

    if (EC_KEY_check_key(ec) != 1)
 	ossl_raise(eECError, "can't export - EC_KEY_check_key failed");
@ -518,7 +515,7 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
    	break;
    default:
        BIO_free(out);
-    	rb_raise(rb_eRuntimeError, "unknown format (internal error)");
+    	ossl_raise(rb_eRuntimeError, "unknown format (internal error)");
    }

    if (i != 1) {
@ -746,7 +743,7 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)

    Data_Get_Struct(self, ossl_ec_group, ec_group);
    if (ec_group->group != NULL)
-        rb_raise(rb_eRuntimeError, "EC_GROUP is already initialized");
+        ossl_raise(rb_eRuntimeError, "EC_GROUP is already initialized");

    switch (rb_scan_args(argc, argv, "13", &arg1, &arg2, &arg3, &arg4)) {
    case 1:
@ -768,7 +765,7 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)
                if ((group = EC_GROUP_new(method)) == NULL)
                    ossl_raise(eEC_GROUP, "EC_GROUP_new");
            } else {
-                rb_raise(rb_eArgError, "unknown symbol, must be :GFp_simple, :GFp_mont, :GFp_nist or :GF2m_simple");
+                ossl_raise(rb_eArgError, "unknown symbol, must be :GFp_simple, :GFp_mont, :GFp_nist or :GF2m_simple");
            }
        } else if (rb_obj_is_kind_of(arg1, cEC_GROUP)) {
            const EC_GROUP *arg1_group;
@ -781,7 +778,7 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)

            group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL);
            if (!group) {
-                (void)BIO_reset(in);
+		OSSL_BIO_reset(in);
                group = d2i_ECPKParameters_bio(in, NULL);
            }

@ -791,6 +788,7 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)
                const char *name = StringValueCStr(arg1);
                int nid = OBJ_sn2nid(name);

+		(void)ERR_get_error();
                if (nid == NID_undef)
                    ossl_raise(eEC_GROUP, "unknown curve name (%s)", name);

@ -817,18 +815,18 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)
            } else if (id == s_GF2m) {
                new_curve = EC_GROUP_new_curve_GF2m;
            } else {
-                rb_raise(rb_eArgError, "unknown symbol, must be :GFp or :GF2m");
+                ossl_raise(rb_eArgError, "unknown symbol, must be :GFp or :GF2m");
            }

            if ((group = new_curve(p, a, b, ossl_bn_ctx)) == NULL)
                ossl_raise(eEC_GROUP, "EC_GROUP_new_by_GF*");
        } else {
-             rb_raise(rb_eArgError, "unknown argument, must be :GFp or :GF2m");
+             ossl_raise(rb_eArgError, "unknown argument, must be :GFp or :GF2m");
        }

        break;
    default:
-        rb_raise(rb_eArgError, "wrong number of arguments");
+        ossl_raise(rb_eArgError, "wrong number of arguments");
    }

    if (group == NULL)
@ -1044,7 +1042,7 @@ static VALUE ossl_ec_group_get_point_conversion_form(VALUE self)
    case POINT_CONVERSION_UNCOMPRESSED:	ret = ID_uncompressed; break;
    case POINT_CONVERSION_COMPRESSED:	ret = ID_compressed; break;
    case POINT_CONVERSION_HYBRID:	ret = ID_hybrid; break;
-    default:	rb_raise(eEC_GROUP, "unsupported point conversion form: %d, this module should be updated", form);
+    default:	ossl_raise(eEC_GROUP, "unsupported point conversion form: %d, this module should be updated", form);
    }

   return ID2SYM(ret);
@ -1070,7 +1068,7 @@ static VALUE ossl_ec_group_set_point_conversion_form(VALUE self, VALUE form_v)
    } else if (form_id == ID_hybrid) {
        form = POINT_CONVERSION_HYBRID;
    } else {
-        rb_raise(rb_eArgError, "form must be :compressed, :uncompressed, or :hybrid");
+        ossl_raise(rb_eArgError, "form must be :compressed, :uncompressed, or :hybrid");
    }

    EC_GROUP_set_point_conversion_form(group, form);
@ -1153,7 +1151,7 @@ static VALUE ossl_ec_group_to_string(VALUE self, int format)
    	break;
    default:
        BIO_free(out);
-    	rb_raise(rb_eRuntimeError, "unknown format (internal error)");
+    	ossl_raise(rb_eRuntimeError, "unknown format (internal error)");
    }

    if (i != 1) {
@ -1246,7 +1244,7 @@ static VALUE ossl_ec_point_initialize(int argc, VALUE *argv, VALUE self)

    Data_Get_Struct(self, ossl_ec_point, ec_point);
    if (ec_point->point)
-        rb_raise(eEC_POINT, "EC_POINT already initialized");
+        ossl_raise(eEC_POINT, "EC_POINT already initialized");

    switch (rb_scan_args(argc, argv, "11", &arg1, &arg2)) {
    case 1:
@ -1264,13 +1262,13 @@ static VALUE ossl_ec_point_initialize(int argc, VALUE *argv, VALUE self)

            point = EC_POINT_new(group);
        } else {
-            rb_raise(eEC_POINT, "wrong argument type: must be OpenSSL::PKey::EC::Point or OpenSSL::Pkey::EC::Group");
+            ossl_raise(eEC_POINT, "wrong argument type: must be OpenSSL::PKey::EC::Point or OpenSSL::Pkey::EC::Group");
        }

        break;
     case 2:
        if (!rb_obj_is_kind_of(arg1, cEC_GROUP))
-            rb_raise(rb_eArgError, "1st argument must be OpenSSL::PKey::EC::Group");
+            ossl_raise(rb_eArgError, "1st argument must be OpenSSL::PKey::EC::Group");
        group_v = arg1;
        SafeRequire_EC_GROUP(group_v, group);

@ -1291,14 +1289,14 @@ static VALUE ossl_ec_point_initialize(int argc, VALUE *argv, VALUE self)
        }
        break;
    default:
-        rb_raise(rb_eArgError, "wrong number of arguments");
+        ossl_raise(rb_eArgError, "wrong number of arguments");
    }

    if (point == NULL)
        ossl_raise(eEC_POINT, NULL);

    if (NIL_P(group_v))
-        rb_raise(rb_eRuntimeError, "missing group (internal error)");
+        ossl_raise(rb_eRuntimeError, "missing group (internal error)");

    ec_point->point = point;

--- a/ext/openssl/ossl_pkey_rsa.c
+++ b/ext/openssl/ossl_pkey_rsa.c
@ -157,33 +157,27 @@ ossl_rsa_initialize(int argc, VALUE *argv, VALUE self)
 	in = ossl_obj2bio(arg);
 	rsa = PEM_read_bio_RSAPrivateKey(in, NULL, ossl_pem_passwd_cb, passwd);
 	if (!rsa) {
-	    (void)BIO_reset(in);
-	    (void)ERR_get_error();
+	    OSSL_BIO_reset(in);
 	    rsa = PEM_read_bio_RSA_PUBKEY(in, NULL, NULL, NULL);
 	}
 	if (!rsa) {
-	    (void)BIO_reset(in);
-	    (void)ERR_get_error();
+	    OSSL_BIO_reset(in);
 	    rsa = d2i_RSAPrivateKey_bio(in, NULL);
 	}
 	if (!rsa) {
-	    (void)BIO_reset(in);
-	    (void)ERR_get_error();
+	    OSSL_BIO_reset(in);
 	    rsa = d2i_RSA_PUBKEY_bio(in, NULL);
 	}
 	if (!rsa) {
-	    (void)BIO_reset(in);
-	    (void)ERR_get_error();
+	    OSSL_BIO_reset(in);
 	    rsa = PEM_read_bio_RSAPublicKey(in, NULL, NULL, NULL);
 	}
 	if (!rsa) {
-	    (void)BIO_reset(in);
-	    (void)ERR_get_error();
+	    OSSL_BIO_reset(in);
 	    rsa = d2i_RSAPublicKey_bio(in, NULL);
 	}
 	BIO_free(in);
 	if (!rsa) {
-	    (void)ERR_get_error();
 	    ossl_raise(eRSAError, "Neither PUB key nor PRIV key:");
 	}
    }
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@ -493,7 +493,7 @@ ossl_call_servername_cb(VALUE ary)
        Data_Get_Struct(ret_obj, SSL_CTX, ctx2);
        SSL_set_SSL_CTX(ssl, ctx2);
    } else if (!NIL_P(ret_obj)) {
-            rb_raise(rb_eArgError, "servername_cb must return an OpenSSL::SSL::SSLContext object or nil");
+            ossl_raise(rb_eArgError, "servername_cb must return an OpenSSL::SSL::SSLContext object or nil");
    }

    return ret_obj;
@ -952,7 +952,7 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
    } else if (rb_obj_is_instance_of(arg1, rb_cTime)) {
        tm = NUM2LONG(rb_funcall(arg1, rb_intern("to_i"), 0));
    } else {
-        rb_raise(rb_eArgError, "arg must be Time or nil");
+        ossl_raise(rb_eArgError, "arg must be Time or nil");
    }

    SSL_CTX_flush_sessions(ctx, (long)tm);
--- a/ext/openssl/ossl_ssl_session.c
+++ b/ext/openssl/ossl_ssl_session.c
@ -53,7 +53,7 @@ static VALUE ossl_ssl_session_initialize(VALUE self, VALUE arg1)
 		ctx = PEM_read_bio_SSL_SESSION(in, NULL, NULL, NULL);

 		if (!ctx) {
-			(void)BIO_reset(in);
+		        OSSL_BIO_reset(in);
 			ctx = d2i_SSL_SESSION_bio(in, NULL);
 		}

@ -152,7 +152,7 @@ static VALUE ossl_ssl_session_get_timeout(VALUE self)
 		} else if (FIXNUM_P(time_v)) {					\
 			;							\
 		} else {							\
-			rb_raise(rb_eArgError, "unknown type");			\
+			ossl_raise(rb_eArgError, "unknown type");			\
 		}								\
 										\
 		t = NUM2ULONG(time_v);						\
--- a/ext/openssl/ossl_x509cert.c
+++ b/ext/openssl/ossl_x509cert.c
@ -71,6 +71,7 @@ ossl_x509_new_from_file(VALUE filename)
     * prepare for DER...
 #if !defined(OPENSSL_NO_FP_API)
    if (!x509) {
+    	(void)ERR_get_error();
 	rewind(fp);

 	x509 = d2i_X509_fp(fp, NULL);
@ -146,7 +147,7 @@ ossl_x509_initialize(int argc, VALUE *argv, VALUE self)
    x509 = PEM_read_bio_X509(in, &x, NULL, NULL);
    DATA_PTR(self) = x;
    if (!x509) {
-	(void)BIO_reset(in);
+	OSSL_BIO_reset(in);
 	x509 = d2i_X509_bio(in, &x);
 	DATA_PTR(self) = x;
    }
--- a/ext/openssl/ossl_x509crl.c
+++ b/ext/openssl/ossl_x509crl.c
@ -102,7 +102,7 @@ ossl_x509crl_initialize(int argc, VALUE *argv, VALUE self)
    crl = PEM_read_bio_X509_CRL(in, &x, NULL, NULL);
    DATA_PTR(self) = x;
    if (!crl) {
-	(void)BIO_reset(in);
+	OSSL_BIO_reset(in);
 	crl = d2i_X509_CRL_bio(in, &x);
 	DATA_PTR(self) = x;
    }
--- a/ext/openssl/ossl_x509req.c
+++ b/ext/openssl/ossl_x509req.c
@ -110,7 +110,7 @@ ossl_x509req_initialize(int argc, VALUE *argv, VALUE self)
    req = PEM_read_bio_X509_REQ(in, &x, NULL, NULL);
    DATA_PTR(self) = x;
    if (!req) {
-	(void)BIO_reset(in);
+	OSSL_BIO_reset(in);
 	req = d2i_X509_REQ_bio(in, &x);
 	DATA_PTR(self) = x;
    }
--- a/test/openssl/test_pkey_dsa.rb
+++ b/test/openssl/test_pkey_dsa.rb
@ -76,6 +76,7 @@ end
    assert_equal(g, key.g)
    assert_equal(y, key.pub_key)
    assert_equal(nil, key.priv_key)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_DSAPublicKey_pem
@ -100,6 +101,7 @@ fWLOqqkzFeRrYMDzUpl36XktY6Yq8EJYlW9pCMmBVNy/dQ==
    assert_equal(g, key.g)
    assert_equal(y, key.pub_key)
    assert_equal(nil, key.priv_key)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_DSA_PUBKEY_pem
@ -125,6 +127,7 @@ YNMbNw==
    assert_equal(g, key.g)
    assert_equal(y, key.pub_key)
    assert_equal(nil, key.priv_key)
+    assert_equal([], OpenSSL.errors)
  end

  def test_export_format_is_DSA_PUBKEY_pem
@ -154,6 +157,7 @@ YNMbNw==
    pub_key = OpenSSL::ASN1.decode(seq[1].value)
    assert_equal(OpenSSL::ASN1::INTEGER, pub_key.tag)
    assert_equal(key.pub_key, pub_key.value)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_der
@ -162,6 +166,7 @@ YNMbNw==
    key2 = OpenSSL::PKey.read(der)
    assert(key2.private?)
    assert_equal(der, key2.to_der)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_pem
@ -170,6 +175,7 @@ YNMbNw==
    key2 = OpenSSL::PKey.read(pem)
    assert(key2.private?)
    assert_equal(pem, key2.to_pem)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_public_key_der
@ -178,6 +184,7 @@ YNMbNw==
    key2 = OpenSSL::PKey.read(der)
    assert(!key2.private?)
    assert_equal(der, key2.to_der)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_public_key_pem
@ -186,6 +193,7 @@ YNMbNw==
    key2 = OpenSSL::PKey.read(pem)
    assert(!key2.private?)
    assert_equal(pem, key2.to_pem)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_pem_pw
@ -200,6 +208,7 @@ YNMbNw==
    key2 = OpenSSL::PKey.read(pem, 'secret')
    assert(key2.private?)
    #omit pem equality check, will be different due to cipher iv
+    assert_equal([], OpenSSL.errors)
  end

  private
--- a/test/openssl/test_pkey_ec.rb
+++ b/test/openssl/test_pkey_ec.rb
@ -126,6 +126,7 @@ class OpenSSL::TestEC < Test::Unit::TestCase
    ec2 = OpenSSL::PKey.read(der)
    assert(ec2.private_key?)
    assert_equal(der, ec2.to_der)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_pem
@ -134,6 +135,7 @@ class OpenSSL::TestEC < Test::Unit::TestCase
    ec2 = OpenSSL::PKey.read(pem)
    assert(ec2.private_key?)
    assert_equal(pem, ec2.to_pem)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_public_key_der
@ -144,6 +146,7 @@ class OpenSSL::TestEC < Test::Unit::TestCase
    ec3 = OpenSSL::PKey.read(der)
    assert(!ec3.private_key?)
    assert_equal(der, ec3.to_der)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_public_key_pem
@ -154,6 +157,7 @@ class OpenSSL::TestEC < Test::Unit::TestCase
    ec3 = OpenSSL::PKey.read(pem)
    assert(!ec3.private_key?)
    assert_equal(pem, ec3.to_pem)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_pem_pw
@ -168,6 +172,7 @@ class OpenSSL::TestEC < Test::Unit::TestCase
    ec2 = OpenSSL::PKey.read(pem, 'secret')
    assert(ec2.private_key?)
    #omit pem equality check, will be different due to cipher iv
+    assert_equal([], OpenSSL.errors)
  end

 # test Group: asn1_flag, point_conversion
--- a/test/openssl/test_pkey_rsa.rb
+++ b/test/openssl/test_pkey_rsa.rb
@ -42,7 +42,6 @@ class OpenSSL::TestPKeyRSA < Test::Unit::TestCase
  end

  def test_new
-    OpenSSL.errors
    key = OpenSSL::PKey::RSA.new 512
    pem  = key.public_key.to_pem
    OpenSSL::PKey::RSA.new pem
@ -92,6 +91,7 @@ class OpenSSL::TestPKeyRSA < Test::Unit::TestCase
    assert_equal(nil, key.d)
    assert_equal(nil, key.p)
    assert_equal(nil, key.q)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_RSA_PUBKEY
@ -110,6 +110,7 @@ class OpenSSL::TestPKeyRSA < Test::Unit::TestCase
    assert_equal(nil, key.d)
    assert_equal(nil, key.p)
    assert_equal(nil, key.q)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_RSAPublicKey_pem
@ -129,6 +130,7 @@ AudJR1JobbIbDJrQu6AXnWh5k/YtAgMBAAE=
    assert_equal(nil, key.d)
    assert_equal(nil, key.p)
    assert_equal(nil, key.q)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_RSA_PUBKEY_pem
@ -149,6 +151,7 @@ AwEAAQ==
    assert_equal(nil, key.d)
    assert_equal(nil, key.p)
    assert_equal(nil, key.q)
+    assert_equal([], OpenSSL.errors)
  end

  def test_export_format_is_RSA_PUBKEY
@ -170,6 +173,7 @@ AwEAAQ==
    key = OpenSSL::PKey.read(der)
    assert(key.private?)
    assert_equal(der, key.to_der)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_pem
@ -177,6 +181,7 @@ AwEAAQ==
    key = OpenSSL::PKey.read(pem)
    assert(key.private?)
    assert_equal(pem, key.to_pem)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_public_key_der
@ -184,6 +189,7 @@ AwEAAQ==
    key = OpenSSL::PKey.read(der)
    assert(!key.private?)
    assert_equal(der, key.to_der)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_public_key_pem
@ -191,6 +197,7 @@ AwEAAQ==
    key = OpenSSL::PKey.read(pem)
    assert(!key.private?)
    assert_equal(pem, key.to_pem)
+    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_pem_pw
@ -204,6 +211,7 @@ AwEAAQ==
    key = OpenSSL::PKey.read(pem, 'secret')
    assert(key.private?)
    #omit pem equality check, will be different due to cipher iv
+    assert_equal([], OpenSSL.errors)
  end

  private
@ -228,6 +236,7 @@ AwEAAQ==
    assert_equal(key.n, pub_key.value[0].value)
    assert_equal(OpenSSL::ASN1::INTEGER, pub_key.value[1].tag)
    assert_equal(key.e, pub_key.value[1].value)
+    assert_equal([], OpenSSL.errors)
  end

 end